[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 352.620438][ T243] kworker/dying (243) used greatest stack depth: 22008 bytes left Warning: Permanently added '10.128.1.19' (ECDSA) to the list of known hosts. 2020/08/08 12:21:16 parsed 1 programs 2020/08/08 12:21:16 executed programs: 0 [ 1047.546286][ T6852] IPVS: ftp: loaded support on port[0] = 21 [ 1047.656712][ T6852] chnl_net:caif_netlink_parms(): no params data found [ 1047.708408][ T6852] bridge0: port 1(bridge_slave_0) entered blocking state [ 1047.716528][ T6852] bridge0: port 1(bridge_slave_0) entered disabled state [ 1047.726980][ T6852] device bridge_slave_0 entered promiscuous mode [ 1047.736199][ T6852] bridge0: port 2(bridge_slave_1) entered blocking state [ 1047.743873][ T6852] bridge0: port 2(bridge_slave_1) entered disabled state [ 1047.752067][ T6852] device bridge_slave_1 entered promiscuous mode [ 1047.772467][ T6852] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1047.783741][ T6852] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1047.805637][ T6852] team0: Port device team_slave_0 added [ 1047.813613][ T6852] team0: Port device team_slave_1 added [ 1047.832049][ T6852] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1047.839005][ T6852] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1047.865771][ T6852] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1047.878717][ T6852] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1047.886285][ T6852] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1047.912878][ T6852] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1047.973368][ T6852] device hsr_slave_0 entered promiscuous mode [ 1048.000355][ T6852] device hsr_slave_1 entered promiscuous mode [ 1048.151417][ T6852] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 1048.203259][ T6852] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 1048.262439][ T6852] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 1048.302939][ T6852] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 1048.386770][ T6852] bridge0: port 2(bridge_slave_1) entered blocking state [ 1048.393993][ T6852] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1048.401973][ T6852] bridge0: port 1(bridge_slave_0) entered blocking state [ 1048.409038][ T6852] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1048.454677][ T6852] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1048.468555][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1048.479738][ T6982] bridge0: port 1(bridge_slave_0) entered disabled state [ 1048.488501][ T6982] bridge0: port 2(bridge_slave_1) entered disabled state [ 1048.497411][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1048.511306][ T6852] 8021q: adding VLAN 0 to HW filter on device team0 [ 1048.523997][ T6822] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1048.532739][ T6822] bridge0: port 1(bridge_slave_0) entered blocking state [ 1048.540141][ T6822] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1048.560688][ T6761] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1048.569137][ T6761] bridge0: port 2(bridge_slave_1) entered blocking state [ 1048.576257][ T6761] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1048.585561][ T6761] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1048.605569][ T6852] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1048.616916][ T6852] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1048.631671][ T7064] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1048.639963][ T7064] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1048.648367][ T7064] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1048.659109][ T7064] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1048.669546][ T6822] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1048.690778][ T6822] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1048.698245][ T6822] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1048.713604][ T6852] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1048.741486][ T6822] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 1048.751124][ T6822] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1048.763983][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 1048.773046][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1048.781939][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1048.789807][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1048.801471][ T6852] device veth0_vlan entered promiscuous mode [ 1048.813838][ T6852] device veth1_vlan entered promiscuous mode [ 1048.834741][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1048.843835][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1048.852597][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 1048.861364][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1048.872846][ T6852] device veth0_macvtap entered promiscuous mode [ 1048.884781][ T6852] device veth1_macvtap entered promiscuous mode [ 1048.901571][ T6852] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1048.908990][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1048.918692][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 1048.927270][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 1048.936690][ T6982] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1048.949011][ T6852] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1048.956506][ T6822] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1048.965961][ T6822] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1048.978604][ T6852] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 1048.988450][ T6852] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 1048.997264][ T6852] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 1049.006125][ T6852] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 1050.889186][ T7082] ================================================================== [ 1050.889235][ T7082] BUG: KASAN: use-after-free in vc_do_resize+0x9d8/0x1180 [ 1050.889243][ T7082] Read of size 2 at addr ffff88809e2c5e82 by task syz-executor.0/7082 [ 1050.889246][ T7082] [ 1050.889262][ T7082] CPU: 1 PID: 7082 Comm: syz-executor.0 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0 [ 1050.889267][ T7082] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1050.889271][ T7082] Call Trace: [ 1050.889283][ T7082] dump_stack+0x18f/0x20d [ 1050.889293][ T7082] ? vc_do_resize+0x9d8/0x1180 [ 1050.889300][ T7082] ? vc_do_resize+0x9d8/0x1180 [ 1050.889312][ T7082] print_address_description.constprop.0.cold+0xae/0x497 [ 1050.889389][ T7082] ? lockdep_hardirqs_off+0x7e/0xb0 [ 1050.889400][ T7082] ? vprintk_func+0x97/0x1a6 [ 1050.889409][ T7082] ? vc_do_resize+0x9d8/0x1180 [ 1050.889416][ T7082] ? vc_do_resize+0x9d8/0x1180 [ 1050.889425][ T7082] kasan_report.cold+0x1f/0x37 [ 1050.889434][ T7082] ? vc_do_resize+0x9d8/0x1180 [ 1050.889444][ T7082] check_memory_region+0x13d/0x180 [ 1050.889453][ T7082] memcpy+0x20/0x60 [ 1050.889461][ T7082] vc_do_resize+0x9d8/0x1180 [ 1050.889478][ T7082] ? store_bind+0x6a0/0x6a0 [ 1050.889489][ T7082] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 1050.889496][ T7082] ? trace_kmalloc+0xfd/0x130 [ 1050.889511][ T7082] fbcon_modechanged+0x36c/0x710 [ 1050.889523][ T7082] fbcon_update_vcs+0x3a/0x50 [ 1050.889530][ T7082] fb_set_var+0xae8/0xd60 [ 1050.889539][ T7082] ? fb_blank+0x190/0x190 [ 1050.889548][ T7082] ? lock_release+0x8e0/0x8e0 [ 1050.889561][ T7082] ? lock_is_held_type+0xbb/0xf0 [ 1050.889574][ T7082] ? do_fb_ioctl+0x2f2/0x6c0 [ 1050.889609][ T7082] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 1050.889619][ T7082] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 1050.889629][ T7082] ? trace_hardirqs_on+0x5f/0x220 [ 1050.889640][ T7082] do_fb_ioctl+0x33f/0x6c0 [ 1050.889648][ T7082] ? fb_set_suspend+0x1a0/0x1a0 [ 1050.889659][ T7082] ? tomoyo_execute_permission+0x470/0x470 [ 1050.889669][ T7082] ? lock_acquire+0x1f1/0xad0 [ 1050.889687][ T7082] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 1050.889698][ T7082] ? do_vfs_ioctl+0x27d/0x1090 [ 1050.889716][ T7082] ? __fget_files+0x294/0x400 [ 1050.889728][ T7082] fb_ioctl+0xdd/0x130 [ 1050.889734][ T7082] ? do_fb_ioctl+0x6c0/0x6c0 [ 1050.889744][ T7082] __x64_sys_ioctl+0x193/0x200 [ 1050.889754][ T7082] do_syscall_64+0x2d/0x70 [ 1050.889763][ T7082] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1050.889770][ T7082] RIP: 0033:0x45ce79 [ 1050.889782][ T7082] Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1050.889787][ T7082] RSP: 002b:00007f31baceec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1050.889797][ T7082] RAX: ffffffffffffffda RBX: 000000000000d580 RCX: 000000000045ce79 [ 1050.889811][ T7082] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 1050.889821][ T7082] RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000 [ 1050.889830][ T7082] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c [ 1050.889840][ T7082] R13: 00007ffc0f8542af R14: 00007f31bacef9c0 R15: 000000000118bf2c [ 1050.889858][ T7082] [ 1050.889866][ T7082] Allocated by task 4808: [ 1050.889880][ T7082] kasan_save_stack+0x1b/0x40 [ 1050.889894][ T7082] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 1050.889905][ T7082] __kmalloc+0x1a8/0x320 [ 1050.889923][ T7082] tomoyo_encode2.part.0+0xe9/0x3a0 [ 1050.889934][ T7082] tomoyo_encode+0x28/0x50 [ 1050.889945][ T7082] tomoyo_realpath_from_path+0x186/0x620 [ 1050.889960][ T7082] tomoyo_path_perm+0x212/0x3f0 [ 1050.889975][ T7082] security_inode_getattr+0xcf/0x140 [ 1050.889989][ T7082] vfs_statx+0x170/0x390 [ 1050.890002][ T7082] __do_sys_newstat+0x91/0x110 [ 1050.890014][ T7082] do_syscall_64+0x2d/0x70 [ 1050.890026][ T7082] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1050.890030][ T7082] [ 1050.890040][ T7082] The buggy address belongs to the object at ffff88809e2c5e80 [ 1050.890040][ T7082] which belongs to the cache kmalloc-32 of size 32 [ 1050.890052][ T7082] The buggy address is located 2 bytes inside of [ 1050.890052][ T7082] 32-byte region [ffff88809e2c5e80, ffff88809e2c5ea0) [ 1050.890058][ T7082] The buggy address belongs to the page: [ 1050.890076][ T7082] page:0000000092cae990 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809e2c5fc1 pfn:0x9e2c5 [ 1050.890086][ T7082] flags: 0xfffe0000000200(slab) [ 1050.890105][ T7082] raw: 00fffe0000000200 ffffea00026668c8 ffffea00024f9c08 ffff8880aa000100 [ 1050.890122][ T7082] raw: ffff88809e2c5fc1 ffff88809e2c5000 000000010000003d 0000000000000000 [ 1050.890129][ T7082] page dumped because: kasan: bad access detected [ 1050.890134][ T7082] [ 1050.890139][ T7082] Memory state around the buggy address: [ 1050.890151][ T7082] ffff88809e2c5d80: 05 fc fc fc fc fc fc fc fa fb fb fb fc fc fc fc [ 1050.890163][ T7082] ffff88809e2c5e00: fa fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 1050.890174][ T7082] >ffff88809e2c5e80: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc [ 1050.890180][ T7082] ^ [ 1050.890192][ T7082] ffff88809e2c5f00: 00 01 fc fc fc fc fc fc 00 03 fc fc fc fc fc fc [ 1050.890203][ T7082] ffff88809e2c5f80: 00 03 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1050.890209][ T7082] ================================================================== [ 1050.890215][ T7082] Disabling lock debugging due to kernel taint [ 1050.892161][ T7082] Kernel panic - not syncing: panic_on_warn set ... [ 1050.892178][ T7082] CPU: 1 PID: 7082 Comm: syz-executor.0 Tainted: G B 5.8.0-rc7-next-20200731-syzkaller #0 [ 1050.892186][ T7082] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1050.892190][ T7082] Call Trace: [ 1050.892207][ T7082] dump_stack+0x18f/0x20d [ 1050.892221][ T7082] ? vc_do_resize+0x990/0x1180 [ 1050.892235][ T7082] panic+0x2e3/0x75c [ 1050.892261][ T7082] ? __warn_printk+0xf3/0xf3 [ 1050.892278][ T7082] ? preempt_schedule_common+0x59/0xc0 [ 1050.892290][ T7082] ? vc_do_resize+0x9d8/0x1180 [ 1050.892305][ T7082] ? preempt_schedule_thunk+0x16/0x18 [ 1050.892319][ T7082] ? trace_hardirqs_on+0x55/0x220 [ 1050.892333][ T7082] ? vc_do_resize+0x9d8/0x1180 [ 1050.892354][ T7082] ? vc_do_resize+0x9d8/0x1180 [ 1050.892367][ T7082] end_report+0x4d/0x53 [ 1050.892381][ T7082] kasan_report.cold+0xd/0x37 [ 1050.892394][ T7082] ? vc_do_resize+0x9d8/0x1180 [ 1050.892409][ T7082] check_memory_region+0x13d/0x180 [ 1050.892422][ T7082] memcpy+0x20/0x60 [ 1050.892434][ T7082] vc_do_resize+0x9d8/0x1180 [ 1050.892453][ T7082] ? store_bind+0x6a0/0x6a0 [ 1050.892468][ T7082] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 1050.892479][ T7082] ? trace_kmalloc+0xfd/0x130 [ 1050.892497][ T7082] fbcon_modechanged+0x36c/0x710 [ 1050.892513][ T7082] fbcon_update_vcs+0x3a/0x50 [ 1050.892524][ T7082] fb_set_var+0xae8/0xd60 [ 1050.892536][ T7082] ? fb_blank+0x190/0x190 [ 1050.892550][ T7082] ? lock_release+0x8e0/0x8e0 [ 1050.892568][ T7082] ? lock_is_held_type+0xbb/0xf0 [ 1050.892584][ T7082] ? do_fb_ioctl+0x2f2/0x6c0 [ 1050.892604][ T7082] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 1050.892618][ T7082] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 1050.892632][ T7082] ? trace_hardirqs_on+0x5f/0x220 [ 1050.892646][ T7082] do_fb_ioctl+0x33f/0x6c0 [ 1050.892670][ T7082] ? fb_set_suspend+0x1a0/0x1a0 [ 1050.892686][ T7082] ? tomoyo_execute_permission+0x470/0x470 [ 1050.892700][ T7082] ? lock_acquire+0x1f1/0xad0 [ 1050.892720][ T7082] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 1050.892734][ T7082] ? do_vfs_ioctl+0x27d/0x1090 [ 1050.892755][ T7082] ? __fget_files+0x294/0x400 [ 1050.892770][ T7082] fb_ioctl+0xdd/0x130 [ 1050.892781][ T7082] ? do_fb_ioctl+0x6c0/0x6c0 [ 1050.892795][ T7082] __x64_sys_ioctl+0x193/0x200 [ 1050.892809][ T7082] do_syscall_64+0x2d/0x70 [ 1050.892823][ T7082] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1050.892832][ T7082] RIP: 0033:0x45ce79 [ 1050.892846][ T7082] Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 1050.892854][ T7082] RSP: 002b:00007f31baceec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1050.892868][ T7082] RAX: ffffffffffffffda RBX: 000000000000d580 RCX: 000000000045ce79 [ 1050.892877][ T7082] RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 [ 1050.892886][ T7082] RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000 [ 1050.892894][ T7082] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c [ 1050.892903][ T7082] R13: 00007ffc0f8542af R14: 00007f31bacef9c0 R15: 000000000118bf2c [ 1050.893986][ T7082] Kernel Offset: disabled [ 1051.728813][ T7082] Rebooting in 86400 seconds..